Personal data of Children under the GDPR

April 19, 2018
Cyber theft protection of privacy

Introduction:

The protection of privacy rights of the children is of utmost importance in the age of digitalization. This article deals with the protection of the personal data of a child and the related consent mechanism under the GDPR.

Why specific protection necessary?

The personal data of children are exposed to a lot of risks in the cyber world wherein information society services[1] are offered directly to them. The General Data Protection Regulation (hereinafter referred as ‘GDPR’) mentions that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. [2]

Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when they are utilizing the services offered directly to them. However, it must be noted that the consent of the holder of parental responsibility would not be required when preventive or counselling services offered directly to a child.[3]

Age Limit:

Article 8(1) of the GDPR deals with age limit of the child with respect to personal data. It lays down that the processing of personal data of a child shall be lawful where the child is at least 16 years old. However, if the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

Further, GDPR allows the EU Member States to prescribe a lower age limit in the above context however, even such prescribed lower age cannot be below 13 years.[4] It is worth noting that this would not affect the general contract law of the EU Member States such as the rules on the validity, formation or effect of a contract in relation to a child.[5]

Verification of child’s consent:

The Controller of the personal data of children is required to make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child. This implies that parents (or any other person holding parental responsibility) will be more involved in the digital presence of children below the age of 16 (or the age as may be prescribed by the relevant EU member state).[6]

Paragraph 1 shall not affect the general contract law of the EU Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Nature of consent:

Consent of a child whether given by the child himself or authorized by the holder of parental responsibility needs to be specific, free and explicit in nature as well as informed and unambiguous in nature. Also, much like in the case of an adult even the child should be able to withdraw the consent at any time.

For more information please write to us at : info@ssrana.com

_______________________________
[1]As per Article 4(25) of the GDPR, ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council

[2]Recital 38 of the General Data Protection Regulation. Available at:
https://gdpr-info.eu/.

[3]Recital 38 of the GDPR.
[4]Article 8(1) of the GDPR.

[5]Article 8(3) of the GDPR.

[6]Article 8(2) of the GDPR.

For more information please contact us at : info@ssrana.com